The task seem straightforward - configure a zone-pair from source vlan123 to destination vlan34 and then inspect ICMP and HTTP.

The answer shows that the class-maps call ACLs for ICMP and HTTP. I do not understand why that is necessary if we can just "match protocol" in the class-map.

I get that we need to map port 21 to HTTP with an ACL specifying R4's loopback.

also, the answer shows TWO zone-pairs, one for each direction, but the task does not say to do that, so I dont understand why it is necessary. what is the point of the inspection policy if there is a zone-pair required in both directions just to let a ping go from R1 to R4 and back? Isnt the zone-pair supposed to be a stateful inspection?

Somebody please explain why the extra config is required.

-Lance

0

Comments

You can just match on protocol, correct; the solution just gives you another way of matching it. Based on the log, ICMP traffic needs to match a pass action, thus for PING to wotk, you need policies both ways between zones with pass action for ICMP; also based on the last task requirement which says "Configure R3 to log for traffic not matching any of the configured class-maps", you need the log action in the default class-map in both directions.